FBI probes if banks hacked back
The hacked are itching to hack back.
So say a dozen security specialists and former law-enforcement officials, who described an intensifying and largely unspoken sense of unease inside many companies after the recent breach of Sony Corp.’s networks.
U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the U.S. have few clear options for striking back on their own.
That has led a growing number of companies to push the limits of existing law to consider ways to break into hackers’ networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property hackers may have stolen.
In one case, the Federal Bureau of Investigation is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, said two people familiar with the investigation. JPMorgan Chase & Co. advocated such a move in a closed meeting in February 2013, these people said. A bank spokeswoman said no action was ever taken. Federal investigators are still trying to determine who was responsible, the people said.
“It’s kind of a Wild West right now,” said U.S. Representative Michael McCaul, the Texas Republican who is the chairman of the House Homeland Security Committee. Some victim companies may be conducting offensive operations “without getting permission” from the federal government, he said.
“They’re very frustrated,” McCaul said of these firms.
Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp., and the Center for Strategic & International Studies. Counterstrikes are a small part of the overall cyber-security industry, which Gartner Inc. projects will surpass $78 billion in worldwide revenue next year.
The idea of hacker-on-hacker justice raises thorny questions, including when U.S. companies can legally order international strikes on their behalf. Also little explored, so far, are the consequences of engaging hackers that may be backed, explicitly or implicitly, by states from North Korea and Iran to China and Russia.
The idea of counterstrikes gained an unprecedented level of visibility when President Barack Obama vowed on Dec. 19 to mount a “proportional” response against North Korea for the Sony breach, which destroyed data and leaked movies and employee e-mails. North Korea suffered Internet outages a few days later. The White House has declined to comment on North Korea’s accusation that the U.S. government played a role.
“Sony represents a dramatic escalation — one so punitive in nature that I think it does change the equation,” said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc., a Tokyo-based security firm. Trend Micro advises clients against taking aggressive countermeasures, he said.
Already, someone appears to have struck back against the Sony attacks. Fake copies of “Fury,” “Annie” and other leaked films began appearing earlier this month on file-sharing sites, slowing the computers of people attempting to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, Calif.-based security company. The fake files have now largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said.
Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach.
In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.
The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.
U.S. law-enforcement agencies appear to give security companies more leeway when it comes to breaching computers to gather intelligence on the hackers or discover what data they took, according to a former law-enforcement official. Such work is “widely done” by security firms, Kellermann said.
Last year’s discussion among banks about retaliatory strikes came after a wave of so-called denial of service attacks starting in 2012 that temporarily disabled several of their websites. The U.S. attributed the attack to Iran’s Quds Force, McCaul said. Iran denied being behind the strikes.
In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.
Within JPMorgan the idea had been vetted, according to a second person familiar with the incident. Some of the people at the meeting — which included FBI and Treasury Department officials, as well as representatives of Citigroup Inc., Goldman Sachs Group Inc. and the New York Stock Exchange — dismissed the idea on legal grounds, the two people said.
Federal investigators later discovered a third party had taken some of the servers involved in the attack offline, according to the people familiar with the situation.
Based on that finding, the FBI began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers, according to people familiar with the probe.
JPMorgan spokeswoman Trish Wexler said the JPMorgan employee didn’t put forth a formal plan at the meeting and that the bank wanted the government to do more to stop attacks. The FBI questioned JPMorgan representatives about the incident and appeared satisfied the bank wasn’t involved in hacking, Wexler said.
Spokespeople for other attendees, including NYSE, Citigroup and Goldman Sachs, declined to comment when asked this month about the meeting. Representatives from Treasury didn’t respond to messages.
Jenny Shearer, an FBI spokeswoman, declined to comment about the meeting or any probe.
“The FBI cautions private-sector entities from taking offensive measures in response to being hacked,” she said.